W dniu 22.01.2019 o 09:07, Wolfgang Rosenauer pisze:
Hi,
Am 22.01.19 um 08:45 schrieb Adam Mizerski:
1) There was a similar thread, you might find interesting: https://lists.opensuse.org/archive/opensuse/2018-12/msg00127.html
thanks for the pointer. I missed that.
2) Show a link to the howto you found.
https://github.com/cornelinux/yubikey-luks https://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen... (german, pretty much a translation from teh github README)
This looks quite good (it uses yubikey to mangle given password). The problem I see it that openSUSE uses mkinitrd/dracut to create initrd, which works differently than debian/ubuntu. Somebody with experience in this field should hop in here.
3) LUKS has 8 slots for various keys to unlock the partition. You can set up 3 passwords and 2 keyfiles and you need at least one to unlock (https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_manageme...). This should keep you safe from loosing access to your data.
That around the lines I found already. But for me this stops pretty immediately when trying to check prerequisites.
# cryptsetup status /dev/mapper/cr_home /dev/mapper/cr_home is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 256 bits key location: dm-crypt device: /dev/nvme0n1p7 sector size: 512 offset: 4096 sectors size: 888360960 sectors mode: read/write
but # cryptsetup luksDump /dev/mapper/cr_home Device /dev/mapper/cr_home is not a valid LUKS device.
So I'm not even sure I can continue to add keys.
The encrypted FS is what YaST created when I installed Tumbleweed roughly a year ago. Is it usable at all?
Try: cryptsetup luksDump /dev/nvme0n1p7
Seems I need a virtual playground first before trying to fiddle with my real hardware and break something.
Oh yes. Playing virtual machines is always fun! You can make snapshots and rollback if something breaks.
Wolfgang
W dniu 21.01.2019 o 23:26, Wolfgang Rosenauer pisze:
as I understand from searching around it should be possible to do something like 2FA for crypto devices (LUKS). Or at least some challenge response.
I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a risky implementation when my crypted home partition is not accessible anymore I'm a bit hesitant to experiment like I do typically.
Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE Tumbleweed?
Thanks, Wolfgang